From cf8a2228408120a194a5a9b9e0c843ea0b68420b Mon Sep 17 00:00:00 2001 From: Pritam Singh Date: Mon, 9 Aug 2021 16:43:31 +0530 Subject: [PATCH] Added_bz_1976010_automation_upstream [SKIP CI] Signed-off-by: Pritam Singh --- tests/dogtag/pytest-ansible/.gitlab-ci.yml | 1 + ...profile_list_without_immediate_issuance.py | 261 ++++++++++++++++++ 2 files changed, 262 insertions(+) create mode 100644 tests/dogtag/pytest-ansible/pytest/ca/bugzilla/test_bz_1976010_restrict_ee_profile_list_without_immediate_issuance.py diff --git a/tests/dogtag/pytest-ansible/.gitlab-ci.yml b/tests/dogtag/pytest-ansible/.gitlab-ci.yml index 8a55e89d2ac..93e198e7413 100644 --- a/tests/dogtag/pytest-ansible/.gitlab-ci.yml +++ b/tests/dogtag/pytest-ansible/.gitlab-ci.yml @@ -237,6 +237,7 @@ ca-topo-00-bugzilla-cp: - ansible-playbook -i $HOSTFILE $PYTEST_DIR/installation/main.yml --extra-vars "topology=topology-00" -vv | sed 's/\\n/\n/g' - py.test --html=$CI_PROJECT_DIR/${CI_JOB_NAME}_html_report.html --self-contained-html --ansible-inventory $HOSTFILE --ansible-host-pattern master $PYTEST_DIR/pytest/ca/bugzilla/test_bug_1656772_man_pkispawn_having_reference_to_setup-ds.py -q -s --junitxml ${CI_JOB_NAME}_junit.xml | sed 's/\\n/\n/g' - py.test --html=$CI_PROJECT_DIR/${CI_JOB_NAME}_html_report.html --self-contained-html --ansible-inventory $HOSTFILE --ansible-host-pattern master --ansible-playbook-inventory $HOSTFILE --ansible-playbook-directory $PYTEST_DIR/pytest/ca/bugzilla/ $PYTEST_DIR/pytest/ca/bugzilla/test_bug_1426572_1930586_cert_fix_tool.py -qsvv --junitxml ${CI_JOB_NAME}_junit.xml | sed 's/\\n/\n/g' + - py.test --html=$CI_PROJECT_DIR/${CI_JOB_NAME}_html_report.html --self-contained-html --ansible-inventory $HOSTFILE --ansible-host-pattern master $PYTEST_DIR/pytest/ca/bugzilla/test_bz_1976010_restrict_ee_profile_list_without_immediate_issuance.py -q -s --junitxml ${CI_JOB_NAME}_junit.xml | sed 's/\\n/\n/g' topo-02-ca-bugzillas-gs: <<: *job_definition diff --git a/tests/dogtag/pytest-ansible/pytest/ca/bugzilla/test_bz_1976010_restrict_ee_profile_list_without_immediate_issuance.py b/tests/dogtag/pytest-ansible/pytest/ca/bugzilla/test_bz_1976010_restrict_ee_profile_list_without_immediate_issuance.py new file mode 100644 index 00000000000..6ffd39cadf5 --- /dev/null +++ b/tests/dogtag/pytest-ansible/pytest/ca/bugzilla/test_bz_1976010_restrict_ee_profile_list_without_immediate_issuance.py @@ -0,0 +1,261 @@ +#!/usr/bin/python +# -*- coding: UTF-8 -*- + +""" +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Description: Automation of Bz_1976010: Restrict EE profile list and +# enrollment submission per LDAP group without immediate issuance +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# Author: Pritam Singh +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# Copyright Red Hat, Inc. +# SPDX-License-Identifier: GPL-2.0-or-later +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +""" + +import logging +import os +import sys +import pytest +import time + +log = logging.getLogger() +logging.basicConfig(stream=sys.stdout, level=logging.INFO) + +try: + from pki.testlib.common import constants +except Exception as e: + if os.path.isfile('/tmp/test_dir/constants.py'): + sys.path.append('/tmp/test_dir') + import constants + +topology = constants.CA_INSTANCE_NAME.split("-")[1].strip() +instance_name = constants.CA_INSTANCE_NAME +ca_config_path = '/var/lib/pki/{}/ca/conf/CS.cfg'.format(constants.CA_INSTANCE_NAME) +ca_profile_path = '/var/lib/pki/{}/ca/profiles/ca/caDirUserCert.cfg'.format(constants.CA_INSTANCE_NAME) + + +@pytest.mark.skipif('topology != "00"') +@pytest.fixture(autouse=True) +def topo00_setup_for_ldap_and_ca(ansible_module): + """ + :id: 90f34de5-a5b8-469c-ab28-73bc0e08638e + :Title: Topology-00 setup for ldap, ca + :Description: setup ldap, ca + :Requirement: RHCS-REQ Certificate Authority Administration + :CaseComponent: \- + :Setup: Use the subsystems setup in ansible to run subsystem commands + :Steps: + 1. Install Ldap server + 2. Install CA + 3. Remove CA + 4. Remove LDAP + :ExpectedResults: + 1. It should install and remove ldap, ca + :Automated: yes + """ + # Setup DS instance + ansible_module.command('cp -R /tmp/test_dir/ /tmp/test_conf') + log.info('Installing DS') + out = ansible_module.shell('dscreate from-file /tmp/test_conf/ldap.cfg') + for result in out.values(): + assert result['rc'] == 0 + log.info("Setup DS instance.") + + # Setup CA instance + log.info('Installing CA') + install_ca = ansible_module.shell('pkispawn -s CA -f /tmp/test_conf/ca.cfg') + for result in install_ca.values(): + assert result['rc'] == 0 + log.info("CA Installed successfully") + + + # Create NSSDB and import certificates + + ansible_module.command('pki -d {} -c {} client-init ' + '--force'.format(constants.NSSDB, constants.CLIENT_DATABASE_PASSWORD)) + log.info("Initialize client dir: {}".format(constants.NSSDB)) + command = 'pki -d {} -c {} -p {} client-cert-import --ca-server'.format(constants.NSSDB, + constants.CLIENT_DATABASE_PASSWORD, + constants.CA_HTTPS_PORT) + ansible_module.expect(command=command,responses={"Trust this certificate (y/N)?": "y"}) + log.info("Imported RootCA cert.") + + ansible_module.command('pki -d {} -c {} client-cert-import --pkcs12 {} ' + '--pkcs12-password {}'.format(constants.NSSDB, constants.CLIENT_DATABASE_PASSWORD, + constants.CA_CLIENT_DIR + "/ca_admin_cert.p12", + constants.CLIENT_PKCS12_PASSWORD)) + log.info("Imported CA Admin Cert.") + + + yield + + # Remove CA instance + log.info('Removing CA') + remove_ca = ansible_module.shell('pkidestroy -s CA -i {} --remove-logs'.format(constants.CA_INSTANCE_NAME)) + for result in remove_ca.values(): + assert result['rc'] == 0 + log.info("CA removed successfully.") + time.sleep(5) + + # Remove Ldap server + log.info('Removing DS') + remove_ldap = ansible_module.shell('dsctl topology-00-testingmaster remove --do-it') + for result in remove_ldap.values(): + assert result['rc'] == 0 + log.info("LDAP removed successfully.") + ansible_module.command('rm -rf {}'.format(constants.NSSDB)) + + +@pytest.mark.skipif('topology != "00"') +def test_bz_1976010_restrict_ee_profile_list_without_immediate_issuance(ansible_module): + """ + :id: db9da98e-a707-4603-97d5-146b26e51a1e + :Title: Test bz 1976010: Restrict EE profile list without immediate issuance + :Description: Test bz 1976010: Restrict EE profile list without immediate issuance + :Requirement: RHCS-REQ Certificate Authority Administration + :CaseComponent: \- + :Setup: Use the subsystems setup in ansible to run subsystem commands + :Steps: + 1. Create group 'requestors' + 2. Create user 'reqUser1' + 3. Add 'reqUser1' user to 'requestors' group + 4. Add LDAP authentication configuration in CS.cfg + 5. Add 'auth.explicitApprovalRequired=true' and 'authz.acl=group=requestors' lines for LDAP authentication for the LDAP group requestors in caDirUserCert.cfg profile + 6. Restart the CA subsystem + 7. Create the certificate request with user 'reqUser1' which is a group member of the 'requestors' group + 8. Create a certificate request with user 'caadmin' which is not a member of 'requestors' group + :ExpectedResults: + 1. No automatic certificate issuance + 2. The certificate request status should be 'pending' + :Automated: yes + :customerscenario: yes + """ + # Create group 'requestors' + group_name = "requestors" + cmd_out = ansible_module.pki(cli="ca-group-add", + nssdb=constants.NSSDB, + dbpassword=constants.CLIENT_DATABASE_PASSWORD, + protocol='https', + port=constants.CA_HTTPS_PORT, + hostname=constants.MASTER_HOSTNAME, + certnick='"{}"'.format(constants.CA_ADMIN_NICK), + extra_args='{}'.format(group_name)) + for result in cmd_out.values(): + if result['rc'] == 0: + assert 'Added group "{}"'.format(group_name) in result['stdout'] + assert 'Group ID: {}'.format(group_name) in result['stdout'] + log.info('Successfully ran : {}'.format(result['cmd'])) + else: + log.error(result['stdout']) + log.error(result['stderr']) + pytest.fail("Failed to run : {}".format(result['cmd'])) + + # Create user 'reqUser1' + user_name = "reqUser1" + cmd_out = ansible_module.pki(cli="ca-user-add", + nssdb=constants.NSSDB, + dbpassword=constants.CLIENT_DATABASE_PASSWORD, + protocol='https', + port=constants.CA_HTTPS_PORT, + hostname=constants.MASTER_HOSTNAME, + certnick='"{}"'.format(constants.CA_ADMIN_NICK), + extra_args='{} --fullName "{}" --password {}'.format( + user_name, user_name, constants.CA_PASSWORD)) + for result in cmd_out.values(): + if result['rc'] == 0: + assert 'Added user "{}"'.format(user_name) in result['stdout'] + assert 'User ID: {}'.format(user_name) in result['stdout'] + assert 'Full name: {}'.format(user_name) in result['stdout'] + log.info('Successfully ran : {}'.format(result['cmd'])) + else: + log.error(result['stdout']) + log.error(result['stderr']) + pytest.fail('Failed to run: {}'.format(result['cmd'])) + + # Add 'reqUser1' user to 'requestors' group + cmd_out = ansible_module.pki(cli="ca-group-member-add", + nssdb=constants.NSSDB, + dbpassword=constants.CLIENT_DATABASE_PASSWORD, + protocol='https', + port=constants.CA_HTTPS_PORT, + hostname=constants.MASTER_HOSTNAME, + certnick='"{}"'.format(constants.CA_ADMIN_NICK), + extra_args='"{}" {}'.format(group_name, user_name)) + for result in cmd_out.values(): + if result['rc'] == 0: + assert 'Added group member "{}"'.format(user_name) in result['stdout'] + assert 'User: {}'.format(user_name) in result['stdout'] + log.info("Successfully ran : {}".format(result['cmd'])) + else: + log.error(result['stdout']) + log.error(result['stderr']) + pytest.fail("Failed to ran : {}".format(result['cmd'])) + + # Add LDAP authentication configuration in CS.cfg + + ldap_conf = ['auths.instance.UserDirEnrollment.dnpattern=uid=$attr.uid,ou=people,o={}-CA'.format(constants.CA_INSTANCE_NAME), + 'auths.instance.UserDirEnrollment.ldap.basedn=ou=people,o={}-CA'.format(constants.CA_INSTANCE_NAME), + 'auths.instance.UserDirEnrollment.ldap.ldapconn.host={}'.format(constants.MASTER_HOSTNAME), + 'auths.instance.UserDirEnrollment.ldap.ldapconn.port={}'.format(constants.LDAP_PORT), + 'auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false', + 'auths.instance.UserDirEnrollment.ldap.ldapconn.version=3', + 'auths.instance.UserDirEnrollment.ldap.maxConns=', + 'auths.instance.UserDirEnrollment.ldap.minConns=', + 'auths.instance.UserDirEnrollment.ldapByteAttributes=', + 'auths.instance.UserDirEnrollment.ldapStringAttributes=uid,cn,mail', + 'auths.instance.UserDirEnrollment.pluginName=UidPwdDirAuth'] + + param = ['auth.explicitApprovalRequired=true', + 'authz.acl=group=requestors'] + + for i in ldap_conf: + ansible_module.lineinfile(path=ca_config_path, insertafter='^auths._002=', line=i) + for k in param: + ansible_module.lineinfile(path=ca_profile_path, insertafter='^auth.instance_id', line=k) + log.info('Successfully added LDAP authentication configuration') + + # Restart the CA subsystem + ansible_module.command('pki-server restart {}'.format(constants.CA_INSTANCE_NAME)) + time.sleep(5) + + # Create the certificate request with user 'reqUser1' + cmd = 'pki -d {} -c {} -U http://{}:{} client-cert-request uid={} --profile=caDirUserCert --algorithm rsa ' \ + '--length 2048 --type pkcs10 --username {} --password'.format(constants.NSSDB, + constants.CLIENT_DATABASE_PASSWORD, + constants.MASTER_HOSTNAME, + constants.CA_HTTP_PORT, + user_name, user_name) + cmd_out = ansible_module.expect(command=cmd, + responses={"Password:": "{}".format(constants.CA_PASSWORD)}) + for result in cmd_out.values(): + if result['rc'] == 0: + assert 'Operation Result: success' in result['stdout'] + assert 'Type: enrollment' in result['stdout'] + assert 'Request Status: pending' in result['stdout'] + log.info('Successfully submitted the certificate request with no automated issuance') + else: + log.error(result['stderr']) + log.error(result['stdout']) + pytest.fail('Failed to run: {}'.format(result['cmd'])) + + # Create the certificate request with user 'caadmin' + cmd = 'pki -d {} -c {} -U http://{}:{} client-cert-request uid={} --profile=caDirUserCert --algorithm rsa ' \ + '--length 2048 --type pkcs10 --username {} --password'.format(constants.NSSDB, + constants.CLIENT_DATABASE_PASSWORD, + constants.MASTER_HOSTNAME, + constants.CA_HTTP_PORT, + 'caadmin', 'caadmin') + cmd_out = ansible_module.expect(command=cmd, + responses={"Password:": "{}".format(constants.CA_PASSWORD)}) + for result in cmd_out.values(): + if result['rc'] > 0: + assert 'Authorization failed: Authorization failed on resource: group=requestors, operation: {1}' in result['stdout'] + log.info('Failed to submit the request for non group member user') + else: + assert 'Operation Result: success' in result['stdout'] + assert 'Request Status: pending' in result['stdout'] + pytest.fail('Failed to run: {}'.format(result['cmd'])) +